`POST /repos/{owner}/{repo}/issues`: incomplete ACLs

[xmo-odoo]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/rest/issues/issues?apiVersion=2026-03-10#create-an-issue

What part(s) of the article would you like to see updated?

The documentation currently states:

Any user with pull access to a repository can create an issue.
and
"Issues" repository permissions (write)

This is incomplete and confusing when trying to work with FGTs or IATs: if the repository is public, any token which can see the repository can create issues, even with no permissions whatsoever (or as low as they can be without losing repository access, so metadata: read).

The GET /repos/{owner}/{repo}/issues endpoint on the same page has the following caveat added to the permissions section:

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

This one probably needs the same.

Furthermore, I have not tested it but POST /repos/{owner}/{repo}/pulls might too if it follows normal policy:

• the default configuration is PR creation allowed to all users, so I would assume tokens with any access to a (public) repository can create PRs
• PR creation can be restricted to "collaborators only", I do not know whether IATs or FGTs with access to a repository are classified as collaborators

Additional information

No response